Danish energy sector hit by a wave of coordinated cyberattacks

The Danish energy sector has suffered what is believed to be the most extensive cyberattack in Danish history, according to SektorCERT.

Danish energy sector under attack

SektorCERT, an organization owned and funded by Danish critical infrastructure (CI) companies, uses a network of 270 sensors implemented across the country and these organizations to monitor internet traffic and detect possible cyberattacks.

From this vantage point, in May 2023, they detected three waves of attacks targeting companies in the energy sector.

The first one started on May 11, when the attackers simultaneously exploited a command injection vulnerability (CVE-2023-28771) in Zyxel firewalls deployed at 16 companies. The attackers gained control of the devices at 11 companies and had access to the critical infrastructure behind it, SektorCERT says. They used the access to grab data about the configuration and active accounts.

Even though CVE-2023-28771 was patched by Zyxell in April 2023, for various reasons the attacked companies did not install the latest updates. The interesting thing, though, is that the attackers knew exactly which companies to hit.

“At this time, information about who had vulnerable devices was not available on public services such as Shodan. Therefore, the attackers had to have obtained information about who had vulnerable firewalls in some other way,” the organization noted, and added that their sensors did not register scans that attackers might have performed prior the attacks.

“The other remarkable thing was that so many companies were attacked at the same time. This kind of coordination requires planning and resources.”

SektorCERT’s incident response team managed to stop the attackers before they could start further exploiting the achieved access.

On May 22, a second wave of attacks started. SektorCERT was alerted by a sensor that one of its member organizations was downloading new firewall software over an insecure connection. This allowed the attackers to include the infrastructure in the Mirai botnet and use it to carry out a DDoS attack against targets in Hong Kong and the US, before the compromised organization disconnected from the internet and went into “island mode” (i.e., isolated from the national electricity distribution network.)

SektorCERT researchers believe that, during the second wave, the attackers also exploited two new vulnerabilities (CVE-2023-33009 and CVE-2023-33010) that Zyxel disclosed and patched a few days later (May 24).

Possible Sandworm involvement

A series of additional attacks went on until May 24, when SektorCERT has been alerted of network traffic to one of the compromised organizations coming from an IP previously used by the Sandworm APT, which has been known to target the Ukrainian energy grid for many years.

“Whether Sandworm was involved in the attack cannot be said with certainty. Individual indicators of this have been observed, but we have no opportunity to neither confirm nor deny it,” SektorCERT said.

It is likely that some of the attacks were simply opportunistic, while others might have had a more sinister goal. But none of them affected the operation of the Danish power grid.

SektorCERT has provided indicators of compromise (IoCs) and offered 25 recommendations for technical and organizational measures that organizations should implement to keep their networks safe.

Don't miss